[rsbac] Válasz: Re: [rsbac] Backup problem

Amon Ott rsbac@rsbac.org
Thu Aug 8 15:28:01 2002

Previous message: [rsbac] =?iso-8859-2?q?V=E1lasz=3A_Re=3A_[rsbac]_Backup_problem?=
Next message: [rsbac] =?iso-8859-2?q?V=E1lasz=3A_Re=3A_[rsbac]_rsbac-v1=2E2=2E1-pre3_uploaded?=
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thursday, 8. August 2002 14:00, ghorvath@minolta.hu wrote:
> On Thursday, 8. August 2002 10:06, ghorvath@minolta.hu wrote:
> > I am using 1.2.1-pre1 because when I wanted to update my working config 
> > was unable even to start my machine. But this is an other story.
> > 1. At me, System Admin role doesn't have access to SCD [network nor 
> > firewall] at all. The problem is when I make a backup and restore it, it 
> 
> > will have full access.
> > 2. The same with NET{DEV,TEMP,OBJ} System Admin role has NO access to 
> > these. Contrary to this after a backup/restore it will.
> 
> The problem here are the default settings for an unconfigured system.
> -----------
> Yes I understand this, but why doesn't the backup script save my null 
> rights into the file, and then the restore process should overwrite the 
> default settings? Like with SCD [host_id]?

Null rights items get removed in the data structures, so we can only guess 
where items should be zeroed - probably in the default cases. It would have 
worked, if you had left a single right active.

A possible workaround is to remove roles 0-2 before restore to get all rights 
revoked:
rc_set_item role ROLE <num> remove_role

The current rsync version of the tools now includes a new switch -r to 
rc_get_item backup, which adds this for every role in the backup. This switch 
is also used in backup_all.

But you then have to switch off RC module or use maint kernel on restore!

> > 3. By the way, after a backup in the backup file I will find 
> > "attr_set_file_dir //etc/.." instead of "attr_set_file_dir FD //etc/..". 
> I 
> > have to make the changes by hand (I have a small script for it :-). Is 
> > this normal or it is not but it is corrected in a later version?
> 
> It should work nevertheless, because FD is the default target and gets 
> used 
> when missing. Will correct this.
> -------------
> Unfortunately it doesn't work. At least not with 1.2.1-pre1. Right now I 
> am testing pre4.

Some (but not all) FD outputs were missing in attr_back_fd, I have put them 
in. Also in rsync version, just sync it into your -pre4 tree.

Amon.
--
http://www.rsbac.org

Previous message: [rsbac] =?iso-8859-2?q?V=E1lasz=3A_Re=3A_[rsbac]_Backup_problem?=
Next message: [rsbac] =?iso-8859-2?q?V=E1lasz=3A_Re=3A_[rsbac]_rsbac-v1=2E2=2E1-pre3_uploaded?=
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]